2 * Support for VIA PadLock Advanced Cryptography Engine (ACE)
3 * Written by Michal Ludvig <michal@logix.cz>
4 * http://www.logix.cz/michal
6 * Big thanks to Andy Polyakov for a help with optimization,
7 * assembler fixes, port to MS Windows and a lot of other
8 * valuable work on this engine!
11 /* ====================================================================
12 * Copyright (c) 1999-2001 The OpenSSL Project. All rights reserved.
14 * Redistribution and use in source and binary forms, with or without
15 * modification, are permitted provided that the following conditions
18 * 1. Redistributions of source code must retain the above copyright
19 * notice, this list of conditions and the following disclaimer.
21 * 2. Redistributions in binary form must reproduce the above copyright
22 * notice, this list of conditions and the following disclaimer in
23 * the documentation and/or other materials provided with the
26 * 3. All advertising materials mentioning features or use of this
27 * software must display the following acknowledgment:
28 * "This product includes software developed by the OpenSSL Project
29 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
31 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
32 * endorse or promote products derived from this software without
33 * prior written permission. For written permission, please contact
34 * licensing@OpenSSL.org.
36 * 5. Products derived from this software may not be called "OpenSSL"
37 * nor may "OpenSSL" appear in their names without prior written
38 * permission of the OpenSSL Project.
40 * 6. Redistributions of any form whatsoever must retain the following
42 * "This product includes software developed by the OpenSSL Project
43 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
45 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
46 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
47 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
48 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
49 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
50 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
51 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
52 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
53 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
54 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
55 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
56 * OF THE POSSIBILITY OF SUCH DAMAGE.
57 * ====================================================================
59 * This product includes cryptographic software written by Eric Young
60 * (eay@cryptsoft.com). This product includes software written by Tim
61 * Hudson (tjh@cryptsoft.com).
69 #include <openssl/opensslconf.h>
70 #include <openssl/crypto.h>
71 #include <openssl/dso.h>
72 #include <openssl/engine.h>
73 #include <openssl/evp.h>
74 #ifndef OPENSSL_NO_AES
75 #include <openssl/aes.h>
77 #include <openssl/rand.h>
78 #include <openssl/err.h>
81 #ifndef OPENSSL_NO_HW_PADLOCK
83 /* Attempt to have a single source for both 0.9.7 and 0.9.8 :-) */
84 #if (OPENSSL_VERSION_NUMBER >= 0x00908000L)
85 # ifndef OPENSSL_NO_DYNAMIC_ENGINE
86 # define DYNAMIC_ENGINE
88 #elif (OPENSSL_VERSION_NUMBER >= 0x00907000L)
89 # ifdef ENGINE_DYNAMIC_SUPPORT
90 # define DYNAMIC_ENGINE
93 # error "Only OpenSSL >= 0.9.7 is supported"
96 /* VIA PadLock AES is available *ONLY* on some x86 CPUs.
97 Not only that it doesn't exist elsewhere, but it
98 even can't be compiled on other platforms!
100 In addition, because of the heavy use of inline assembler,
101 compiler choice is limited to GCC and Microsoft C. */
102 #undef COMPILE_HW_PADLOCK
103 #if !defined(I386_ONLY) && !defined(OPENSSL_NO_INLINE_ASM)
104 # if (defined(__GNUC__) && (defined(__i386__) || defined(__i386))) || \
105 (defined(_MSC_VER) && defined(_M_IX86))
106 # define COMPILE_HW_PADLOCK
107 static ENGINE *ENGINE_padlock (void);
111 void ENGINE_load_padlock (void)
113 /* On non-x86 CPUs it just returns. */
114 #ifdef COMPILE_HW_PADLOCK
115 ENGINE *toadd = ENGINE_padlock ();
123 #ifdef COMPILE_HW_PADLOCK
124 /* We do these includes here to avoid header problems on platforms that
125 do not have the VIA padlock anyway... */
128 # define alloca _alloca
133 /* Function for ENGINE detection and control */
134 static int padlock_available(void);
135 static int padlock_init(ENGINE *e);
138 static RAND_METHOD padlock_rand;
141 #ifndef OPENSSL_NO_AES
142 static int padlock_ciphers(ENGINE *e, const EVP_CIPHER **cipher, const int **nids, int nid);
146 static const char *padlock_id = "padlock";
147 static char padlock_name[100];
149 /* Available features */
150 static int padlock_use_ace = 0; /* Advanced Cryptography Engine */
151 static int padlock_use_rng = 0; /* Random Number Generator */
152 #ifndef OPENSSL_NO_AES
153 static int padlock_aes_align_required = 1;
156 /* ===== Engine "management" functions ===== */
158 /* Prepare the ENGINE structure for registration */
160 padlock_bind_helper(ENGINE *e)
162 /* Check available features */
165 #if 1 /* disable RNG for now, see commentary in vicinity of RNG code */
169 /* Generate a nice engine name with available features */
170 BIO_snprintf(padlock_name, sizeof(padlock_name),
171 "VIA PadLock (%s, %s)",
172 padlock_use_rng ? "RNG" : "no-RNG",
173 padlock_use_ace ? "ACE" : "no-ACE");
175 /* Register everything or return with an error */
176 if (!ENGINE_set_id(e, padlock_id) ||
177 !ENGINE_set_name(e, padlock_name) ||
179 !ENGINE_set_init_function(e, padlock_init) ||
180 #ifndef OPENSSL_NO_AES
181 (padlock_use_ace && !ENGINE_set_ciphers (e, padlock_ciphers)) ||
183 (padlock_use_rng && !ENGINE_set_RAND (e, &padlock_rand))) {
187 /* Everything looks good */
195 ENGINE *eng = ENGINE_new();
201 if (!padlock_bind_helper(eng)) {
209 /* Check availability of the engine */
211 padlock_init(ENGINE *e)
213 return (padlock_use_rng || padlock_use_ace);
216 /* This stuff is needed if this ENGINE is being compiled into a self-contained
219 #ifdef DYNAMIC_ENGINE
221 padlock_bind_fn(ENGINE *e, const char *id)
223 if (id && (strcmp(id, padlock_id) != 0)) {
227 if (!padlock_bind_helper(e)) {
234 IMPLEMENT_DYNAMIC_CHECK_FN ();
235 IMPLEMENT_DYNAMIC_BIND_FN (padlock_bind_fn);
236 #endif /* DYNAMIC_ENGINE */
238 /* ===== Here comes the "real" engine ===== */
240 #ifndef OPENSSL_NO_AES
241 /* Some AES-related constants */
242 #define AES_BLOCK_SIZE 16
243 #define AES_KEY_SIZE_128 16
244 #define AES_KEY_SIZE_192 24
245 #define AES_KEY_SIZE_256 32
247 /* Here we store the status information relevant to the
250 * Inline assembler in PADLOCK_XCRYPT_ASM()
251 * depends on the order of items in this structure.
252 * Don't blindly modify, reorder, etc!
254 struct padlock_cipher_data
256 unsigned char iv[AES_BLOCK_SIZE]; /* Initialization vector */
257 union { unsigned int pad[4];
266 } cword; /* Control word */
267 AES_KEY ks; /* Encryption key */
271 * Essentially this variable belongs in thread local storage.
272 * Having this variable global on the other hand can only cause
273 * few bogus key reloads [if any at all on single-CPU system],
274 * so we accept the penatly...
276 static volatile struct padlock_cipher_data *padlock_saved_context;
280 * =======================================================
281 * Inline assembler section(s).
282 * =======================================================
283 * Order of arguments is chosen to facilitate Windows port
284 * using __fastcall calling convention. If you wish to add
285 * more routines, keep in mind that first __fastcall
286 * argument is passed in %ecx and second - in %edx.
287 * =======================================================
289 #if defined(__GNUC__) && __GNUC__>=2
291 * As for excessive "push %ebx"/"pop %ebx" found all over.
292 * When generating position-independent code GCC won't let
293 * us use "b" in assembler templates nor even respect "ebx"
294 * in "clobber description." Therefore the trouble...
297 /* Helper function - check if a CPUID instruction
298 is available on this CPU */
300 padlock_insn_cpuid_available(void)
304 /* We're checking if the bit #21 of EFLAGS
305 can be toggled. If yes = CPUID is available. */
309 "xorl $0x200000, %%eax\n"
310 "movl %%eax, %%ecx\n"
311 "andl $0x200000, %%ecx\n"
316 "andl $0x200000, %%eax\n"
317 "xorl %%eax, %%ecx\n"
319 : "=r" (result) : : "eax", "ecx");
321 return (result == 0);
324 /* Load supported features of the CPU to see if
325 the PadLock is available. */
327 padlock_available(void)
329 char vendor_string[16];
330 unsigned int eax, edx;
332 /* First check if the CPUID instruction is available at all... */
333 if (! padlock_insn_cpuid_available())
336 /* Are we running on the Centaur (VIA) CPU? */
338 vendor_string[12] = 0;
342 "movl %%ebx,(%%edi)\n"
343 "movl %%edx,4(%%edi)\n"
344 "movl %%ecx,8(%%edi)\n"
346 : "+a"(eax) : "D"(vendor_string) : "ecx", "edx");
347 if (strcmp(vendor_string, "CentaurHauls") != 0)
350 /* Check for Centaur Extended Feature Flags presence */
352 asm volatile ("pushl %%ebx; cpuid; popl %%ebx"
353 : "+a"(eax) : : "ecx", "edx");
354 if (eax < 0xC0000001)
357 /* Read the Centaur Extended Feature Flags */
359 asm volatile ("pushl %%ebx; cpuid; popl %%ebx"
360 : "+a"(eax), "=d"(edx) : : "ecx");
362 /* Fill up some flags */
363 padlock_use_ace = ((edx & (0x3<<6)) == (0x3<<6));
364 padlock_use_rng = ((edx & (0x3<<2)) == (0x3<<2));
366 return padlock_use_ace + padlock_use_rng;
369 #ifndef OPENSSL_NO_AES
370 /* Our own htonl()/ntohl() */
372 padlock_bswapl(AES_KEY *ks)
374 size_t i = sizeof(ks->rd_key)/sizeof(ks->rd_key[0]);
375 unsigned int *key = ks->rd_key;
378 asm volatile ("bswapl %0" : "+r"(*key));
384 /* Force key reload from memory to the CPU microcode.
385 Loading EFLAGS from the stack clears EFLAGS[30]
386 which does the trick. */
388 padlock_reload_key(void)
390 asm volatile ("pushfl; popfl");
393 #ifndef OPENSSL_NO_AES
395 * This is heuristic key context tracing. At first one
396 * believes that one should use atomic swap instructions,
397 * but it's not actually necessary. Point is that if
398 * padlock_saved_context was changed by another thread
399 * after we've read it and before we compare it with cdata,
400 * our key *shall* be reloaded upon thread context switch
401 * and we are therefore set in either case...
404 padlock_verify_context(struct padlock_cipher_data *cdata)
416 :"+m"(padlock_saved_context)
417 : "r"(padlock_saved_context), "r"(cdata) : "cc");
420 /* Template for padlock_xcrypt_* modes */
422 * The offsets used with 'leal' instructions
423 * describe items of the 'padlock_cipher_data'
426 #define PADLOCK_XCRYPT_ASM(name,rep_xcrypt) \
427 static inline void *name(size_t cnt, \
428 struct padlock_cipher_data *cdata, \
429 void *out, const void *inp) \
431 asm volatile ( "pushl %%ebx\n" \
432 " leal 16(%0),%%edx\n" \
433 " leal 32(%0),%%ebx\n" \
436 : "=a"(iv), "=c"(cnt), "=D"(out), "=S"(inp) \
437 : "0"(cdata), "1"(cnt), "2"(out), "3"(inp) \
442 /* Generate all functions with appropriate opcodes */
443 PADLOCK_XCRYPT_ASM(padlock_xcrypt_ecb, ".byte 0xf3,0x0f,0xa7,0xc8") /* rep xcryptecb */
444 PADLOCK_XCRYPT_ASM(padlock_xcrypt_cbc, ".byte 0xf3,0x0f,0xa7,0xd0") /* rep xcryptcbc */
445 PADLOCK_XCRYPT_ASM(padlock_xcrypt_cfb, ".byte 0xf3,0x0f,0xa7,0xe0") /* rep xcryptcfb */
446 PADLOCK_XCRYPT_ASM(padlock_xcrypt_ofb, ".byte 0xf3,0x0f,0xa7,0xe8") /* rep xcryptofb */
449 /* The RNG call itself */
450 static inline unsigned int
451 padlock_xstore(void *addr, unsigned int edx_in)
453 unsigned int eax_out;
455 asm volatile (".byte 0x0f,0xa7,0xc0" /* xstore */
456 : "=a"(eax_out),"=m"(*(unsigned *)addr)
457 : "D"(addr), "d" (edx_in)
463 /* Why not inline 'rep movsd'? I failed to find information on what
464 * value in Direction Flag one can expect and consequently have to
465 * apply "better-safe-than-sorry" approach and assume "undefined."
466 * I could explicitly clear it and restore the original value upon
467 * return from padlock_aes_cipher, but it's presumably too much
468 * trouble for too little gain...
470 * In case you wonder 'rep xcrypt*' instructions above are *not*
471 * affected by the Direction Flag and pointers advance toward
472 * larger addresses unconditionally.
474 static inline unsigned char *
475 padlock_memcpy(void *dst,const void *src,size_t n)
481 do { *d++ = *s++; } while (--n);
486 #elif defined(_MSC_VER)
488 * Unlike GCC these are real functions. In order to minimize impact
489 * on performance we adhere to __fastcall calling convention in
490 * order to get two first arguments passed through %ecx and %edx.
491 * Which kind of suits very well, as instructions in question use
492 * both %ecx and %edx as input:-)
494 #define REP_XCRYPT(code) \
496 _asm _emit 0x0f _asm _emit 0xa7 \
500 * The offsets used with 'lea' instructions
501 * describe items of the 'padlock_cipher_data'
504 #define PADLOCK_XCRYPT_ASM(name,code) \
505 static void * __fastcall \
506 name (size_t cnt, void *cdata, \
507 void *outp, const void *inp) \
509 _asm lea edx,[eax+16] \
510 _asm lea ebx,[eax+32] \
516 PADLOCK_XCRYPT_ASM(padlock_xcrypt_ecb,0xc8)
517 PADLOCK_XCRYPT_ASM(padlock_xcrypt_cbc,0xd0)
518 PADLOCK_XCRYPT_ASM(padlock_xcrypt_cfb,0xe0)
519 PADLOCK_XCRYPT_ASM(padlock_xcrypt_ofb,0xe8)
521 static int __fastcall
522 padlock_xstore(void *outp,unsigned int code)
524 _asm _emit 0x0f _asm _emit 0xa7 _asm _emit 0xc0
527 static void __fastcall
528 padlock_reload_key(void)
529 { _asm pushfd _asm popfd }
531 static void __fastcall
532 padlock_verify_context(void *cdata)
537 cmp ecx,padlock_saved_context
542 mov padlock_saved_context,ecx
547 padlock_available(void)
582 mov padlock_use_ace,1
588 mov padlock_use_rng,1
595 static void __fastcall
596 padlock_bswapl(void *key)
611 /* MS actually specifies status of Direction Flag and compiler even
612 * manages to compile following as 'rep movsd' all by itself...
614 #define padlock_memcpy(o,i,n) ((unsigned char *)memcpy((o),(i),(n)&~3U))
617 /* ===== AES encryption/decryption ===== */
618 #ifndef OPENSSL_NO_AES
620 #if defined(NID_aes_128_cfb128) && ! defined (NID_aes_128_cfb)
621 #define NID_aes_128_cfb NID_aes_128_cfb128
624 #if defined(NID_aes_128_ofb128) && ! defined (NID_aes_128_ofb)
625 #define NID_aes_128_ofb NID_aes_128_ofb128
628 #if defined(NID_aes_192_cfb128) && ! defined (NID_aes_192_cfb)
629 #define NID_aes_192_cfb NID_aes_192_cfb128
632 #if defined(NID_aes_192_ofb128) && ! defined (NID_aes_192_ofb)
633 #define NID_aes_192_ofb NID_aes_192_ofb128
636 #if defined(NID_aes_256_cfb128) && ! defined (NID_aes_256_cfb)
637 #define NID_aes_256_cfb NID_aes_256_cfb128
640 #if defined(NID_aes_256_ofb128) && ! defined (NID_aes_256_ofb)
641 #define NID_aes_256_ofb NID_aes_256_ofb128
644 /* List of supported ciphers. */
645 static int padlock_cipher_nids[] = {
654 NID_aes_192_cfb, /* FIXME: AES192/256 CFB/OFB don't work. */
665 static int padlock_cipher_nids_num = (sizeof(padlock_cipher_nids)/
666 sizeof(padlock_cipher_nids[0]));
668 /* Function prototypes ... */
669 static int padlock_aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
670 const unsigned char *iv, int enc);
671 static int padlock_aes_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
672 const unsigned char *in, size_t nbytes);
674 #define NEAREST_ALIGNED(ptr) ( (unsigned char *)(ptr) + \
675 ( (0x10 - ((size_t)(ptr) & 0x0F)) & 0x0F ) )
676 #define ALIGNED_CIPHER_DATA(ctx) ((struct padlock_cipher_data *)\
677 NEAREST_ALIGNED(ctx->cipher_data))
679 /* Declaring so many ciphers by hand would be a pain.
680 Instead introduce a bit of preprocessor magic :-) */
681 #define DECLARE_AES_EVP(ksize,lmode,umode) \
682 static const EVP_CIPHER padlock_aes_##ksize##_##lmode = { \
683 NID_aes_##ksize##_##lmode, \
685 AES_KEY_SIZE_##ksize, \
687 0 | EVP_CIPH_##umode##_MODE, \
688 padlock_aes_init_key, \
689 padlock_aes_cipher, \
691 sizeof(struct padlock_cipher_data) + 16, \
692 EVP_CIPHER_set_asn1_iv, \
693 EVP_CIPHER_get_asn1_iv, \
698 DECLARE_AES_EVP(128,ecb,ECB);
699 DECLARE_AES_EVP(128,cbc,CBC);
700 DECLARE_AES_EVP(128,cfb,CFB);
701 DECLARE_AES_EVP(128,ofb,OFB);
703 DECLARE_AES_EVP(192,ecb,ECB);
704 DECLARE_AES_EVP(192,cbc,CBC);
705 DECLARE_AES_EVP(192,cfb,CFB);
706 DECLARE_AES_EVP(192,ofb,OFB);
708 DECLARE_AES_EVP(256,ecb,ECB);
709 DECLARE_AES_EVP(256,cbc,CBC);
710 DECLARE_AES_EVP(256,cfb,CFB);
711 DECLARE_AES_EVP(256,ofb,OFB);
714 padlock_ciphers (ENGINE *e, const EVP_CIPHER **cipher, const int **nids, int nid)
716 /* No specific cipher => return a list of supported nids ... */
718 *nids = padlock_cipher_nids;
719 return padlock_cipher_nids_num;
722 /* ... or the requested "cipher" otherwise */
724 case NID_aes_128_ecb:
725 *cipher = &padlock_aes_128_ecb;
727 case NID_aes_128_cbc:
728 *cipher = &padlock_aes_128_cbc;
730 case NID_aes_128_cfb:
731 *cipher = &padlock_aes_128_cfb;
733 case NID_aes_128_ofb:
734 *cipher = &padlock_aes_128_ofb;
737 case NID_aes_192_ecb:
738 *cipher = &padlock_aes_192_ecb;
740 case NID_aes_192_cbc:
741 *cipher = &padlock_aes_192_cbc;
743 case NID_aes_192_cfb:
744 *cipher = &padlock_aes_192_cfb;
746 case NID_aes_192_ofb:
747 *cipher = &padlock_aes_192_ofb;
750 case NID_aes_256_ecb:
751 *cipher = &padlock_aes_256_ecb;
753 case NID_aes_256_cbc:
754 *cipher = &padlock_aes_256_cbc;
756 case NID_aes_256_cfb:
757 *cipher = &padlock_aes_256_cfb;
759 case NID_aes_256_ofb:
760 *cipher = &padlock_aes_256_ofb;
764 /* Sorry, we don't support this NID */
772 /* Prepare the encryption key for PadLock usage */
774 padlock_aes_init_key (EVP_CIPHER_CTX *ctx, const unsigned char *key,
775 const unsigned char *iv, int enc)
777 struct padlock_cipher_data *cdata;
778 int key_len = EVP_CIPHER_CTX_key_length(ctx) * 8;
780 if (key==NULL) return 0; /* ERROR */
782 cdata = ALIGNED_CIPHER_DATA(ctx);
783 memset(cdata, 0, sizeof(struct padlock_cipher_data));
785 /* Prepare Control word. */
786 cdata->cword.b.encdec = (ctx->encrypt == 0);
787 cdata->cword.b.rounds = 10 + (key_len - 128) / 32;
788 cdata->cword.b.ksize = (key_len - 128) / 64;
792 /* PadLock can generate an extended key for
793 AES128 in hardware */
794 memcpy(cdata->ks.rd_key, key, AES_KEY_SIZE_128);
795 cdata->cword.b.keygen = 0;
800 /* Generate an extended AES key in software.
801 Needed for AES192/AES256 */
802 /* Well, the above applies to Stepping 8 CPUs
803 and is listed as hardware errata. They most
804 likely will fix it at some point and then
805 a check for stepping would be due here. */
807 AES_set_encrypt_key(key, key_len, &cdata->ks);
809 AES_set_decrypt_key(key, key_len, &cdata->ks);
811 /* OpenSSL C functions use byte-swapped extended key. */
812 padlock_bswapl(&cdata->ks);
814 cdata->cword.b.keygen = 1;
823 * This is done to cover for cases when user reuses the
824 * context for new key. The catch is that if we don't do
825 * this, padlock_eas_cipher might proceed with old key...
827 padlock_reload_key ();
833 * Simplified version of padlock_aes_cipher() used when
834 * 1) both input and output buffers are at aligned addresses.
836 * 2) running on a newer CPU that doesn't require aligned buffers.
839 padlock_aes_cipher_omnivorous(EVP_CIPHER_CTX *ctx, unsigned char *out_arg,
840 const unsigned char *in_arg, size_t nbytes)
842 struct padlock_cipher_data *cdata;
845 cdata = ALIGNED_CIPHER_DATA(ctx);
846 padlock_verify_context(cdata);
848 switch (EVP_CIPHER_CTX_mode(ctx)) {
849 case EVP_CIPH_ECB_MODE:
850 padlock_xcrypt_ecb(nbytes/AES_BLOCK_SIZE, cdata, out_arg, in_arg);
853 case EVP_CIPH_CBC_MODE:
854 memcpy(cdata->iv, ctx->iv, AES_BLOCK_SIZE);
855 iv = padlock_xcrypt_cbc(nbytes/AES_BLOCK_SIZE, cdata, out_arg, in_arg);
856 memcpy(ctx->iv, iv, AES_BLOCK_SIZE);
859 case EVP_CIPH_CFB_MODE:
860 memcpy(cdata->iv, ctx->iv, AES_BLOCK_SIZE);
861 iv = padlock_xcrypt_cfb(nbytes/AES_BLOCK_SIZE, cdata, out_arg, in_arg);
862 memcpy(ctx->iv, iv, AES_BLOCK_SIZE);
865 case EVP_CIPH_OFB_MODE:
866 memcpy(cdata->iv, ctx->iv, AES_BLOCK_SIZE);
867 padlock_xcrypt_ofb(nbytes/AES_BLOCK_SIZE, cdata, out_arg, in_arg);
868 memcpy(ctx->iv, cdata->iv, AES_BLOCK_SIZE);
875 memset(cdata->iv, 0, AES_BLOCK_SIZE);
880 #ifndef PADLOCK_CHUNK
881 # define PADLOCK_CHUNK 4096 /* Must be a power of 2 larger than 16 */
883 #if PADLOCK_CHUNK<16 || PADLOCK_CHUNK&(PADLOCK_CHUNK-1)
884 # error "insane PADLOCK_CHUNK..."
887 /* Re-align the arguments to 16-Bytes boundaries and run the
888 encryption function itself. This function is not AES-specific. */
890 padlock_aes_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out_arg,
891 const unsigned char *in_arg, size_t nbytes)
893 struct padlock_cipher_data *cdata;
897 int inp_misaligned, out_misaligned, realign_in_loop;
898 size_t chunk, allocated=0;
902 if (nbytes % AES_BLOCK_SIZE)
903 return 0; /* are we expected to do tail processing? */
905 /* VIA promises CPUs that won't require alignment in the future.
906 For now padlock_aes_align_required is initialized to 1 and
907 the condition is never met... */
908 if (!padlock_aes_align_required)
909 return padlock_aes_cipher_omnivorous(ctx, out_arg, in_arg, nbytes);
911 inp_misaligned = (((size_t)in_arg) & 0x0F);
912 out_misaligned = (((size_t)out_arg) & 0x0F);
914 /* Note that even if output is aligned and input not,
915 * I still prefer to loop instead of copy the whole
916 * input and then encrypt in one stroke. This is done
917 * in order to improve L1 cache utilization... */
918 realign_in_loop = out_misaligned|inp_misaligned;
920 if (!realign_in_loop)
921 return padlock_aes_cipher_omnivorous(ctx, out_arg, in_arg, nbytes);
923 /* this takes one "if" out of the loops */
925 chunk %= PADLOCK_CHUNK;
926 if (chunk==0) chunk = PADLOCK_CHUNK;
928 if (out_misaligned) {
929 /* optmize for small input */
930 allocated = (chunk<nbytes?PADLOCK_CHUNK:nbytes);
931 out = alloca(0x10 + allocated);
932 out = NEAREST_ALIGNED(out);
937 cdata = ALIGNED_CIPHER_DATA(ctx);
938 padlock_verify_context(cdata);
940 switch (EVP_CIPHER_CTX_mode(ctx)) {
941 case EVP_CIPH_ECB_MODE:
944 inp = padlock_memcpy(out, in_arg, chunk);
949 padlock_xcrypt_ecb(chunk/AES_BLOCK_SIZE, cdata, out, inp);
952 out_arg = padlock_memcpy(out_arg, out, chunk) + chunk;
954 out = out_arg+=chunk;
957 chunk = PADLOCK_CHUNK;
961 case EVP_CIPH_CBC_MODE:
962 memcpy(cdata->iv, ctx->iv, AES_BLOCK_SIZE);
966 memcpy(cdata->iv, iv, AES_BLOCK_SIZE);
967 chunk = PADLOCK_CHUNK;
968 cbc_shortcut: /* optimize for small input */
970 inp = padlock_memcpy(out, in_arg, chunk);
975 iv = padlock_xcrypt_cbc(chunk/AES_BLOCK_SIZE, cdata, out, inp);
978 out_arg = padlock_memcpy(out_arg, out, chunk) + chunk;
980 out = out_arg+=chunk;
982 } while (nbytes -= chunk);
983 memcpy(ctx->iv, iv, AES_BLOCK_SIZE);
986 case EVP_CIPH_CFB_MODE:
987 memcpy (cdata->iv, ctx->iv, AES_BLOCK_SIZE);
991 memcpy(cdata->iv, iv, AES_BLOCK_SIZE);
992 chunk = PADLOCK_CHUNK;
993 cfb_shortcut: /* optimize for small input */
995 inp = padlock_memcpy(out, in_arg, chunk);
1000 iv = padlock_xcrypt_cfb(chunk/AES_BLOCK_SIZE, cdata, out, inp);
1003 out_arg = padlock_memcpy(out_arg, out, chunk) + chunk;
1005 out = out_arg+=chunk;
1007 } while (nbytes -= chunk);
1008 memcpy(ctx->iv, iv, AES_BLOCK_SIZE);
1011 case EVP_CIPH_OFB_MODE:
1012 memcpy(cdata->iv, ctx->iv, AES_BLOCK_SIZE);
1015 inp = padlock_memcpy(out, in_arg, chunk);
1020 padlock_xcrypt_ofb(chunk/AES_BLOCK_SIZE, cdata, out, inp);
1023 out_arg = padlock_memcpy(out_arg, out, chunk) + chunk;
1025 out = out_arg+=chunk;
1028 chunk = PADLOCK_CHUNK;
1030 memcpy(ctx->iv, cdata->iv, AES_BLOCK_SIZE);
1037 /* Clean the realign buffer if it was used */
1038 if (out_misaligned) {
1039 volatile unsigned long *p=(void *)out;
1040 size_t n = allocated/sizeof(*p);
1044 memset(cdata->iv, 0, AES_BLOCK_SIZE);
1049 #endif /* OPENSSL_NO_AES */
1051 /* ===== Random Number Generator ===== */
1053 * This code is not engaged. The reason is that it does not comply
1054 * with recommendations for VIA RNG usage for secure applications
1055 * (posted at http://www.via.com.tw/en/viac3/c3.jsp) nor does it
1056 * provide meaningful error control...
1058 /* Wrapper that provides an interface between the API and
1059 the raw PadLock RNG */
1061 padlock_rand_bytes(unsigned char *output, int count)
1063 unsigned int eax, buf;
1065 while (count >= 8) {
1066 eax = padlock_xstore(output, 0);
1067 if (!(eax&(1<<6))) return 0; /* RNG disabled */
1068 /* this ---vv--- covers DC bias, Raw Bits and String Filter */
1069 if (eax&(0x1F<<10)) return 0;
1070 if ((eax&0x1F)==0) continue; /* no data, retry... */
1071 if ((eax&0x1F)!=8) return 0; /* fatal failure... */
1076 eax = padlock_xstore(&buf, 3);
1077 if (!(eax&(1<<6))) return 0; /* RNG disabled */
1078 /* this ---vv--- covers DC bias, Raw Bits and String Filter */
1079 if (eax&(0x1F<<10)) return 0;
1080 if ((eax&0x1F)==0) continue; /* no data, retry... */
1081 if ((eax&0x1F)!=1) return 0; /* fatal failure... */
1082 *output++ = (unsigned char)buf;
1085 *(volatile unsigned int *)&buf=0;
1090 /* Dummy but necessary function */
1092 padlock_rand_status(void)
1097 /* Prepare structure for registration */
1098 static RAND_METHOD padlock_rand = {
1100 padlock_rand_bytes, /* bytes */
1103 padlock_rand_bytes, /* pseudorand */
1104 padlock_rand_status, /* rand status */
1107 #endif /* COMPILE_HW_PADLOCK */
1109 #endif /* !OPENSSL_NO_HW_PADLOCK */
1110 #endif /* !OPENSSL_NO_HW */